Event detection removing private information

ABSTRACT

The present invention extends to methods, systems, and computer program products for event detection removing private information. In one aspect, an event detection infrastructure determines that characteristics of multiple signals, when considered collectively, indicate an event of interest to one or more parties. In another aspect, an evaluation module determines that characteristics of one or more signals indicate a possible event of interest to one or more parties. A validator then determines that characteristics of one or more other signals validate the possible event as an actual event of interest to the one or more parties. Signal features can be used to compute probabilities of events occurring. A privacy infrastructure spans signal ingestion, event detection, and event notification and protects the integrity of private information.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation-in-part of U.S. patent applicationSer. No. 16/029,481, entitled “Detecting Events From Features DerivedFrom Multiple Ingested Signals”, filed Jul. 6, 2018 which isincorporated herein in its entirety.

That application claims the benefit of U.S. Provisional PatentApplication Ser. No. 62/628,866, entitled “Multi Source Validation”,filed Feb. 9, 2018 which is incorporated herein in its entirety. Thisapplication claims the benefit of U.S. Provisional Patent ApplicationSer. No. 62/654,274, entitled “Detecting Events From Multiple Signals”,filed Apr. 6, 2018 which is incorporated herein in its entirety. Thisapplication claims the benefit of U.S. Provisional Patent ApplicationSer. No. 62/654,277 entitled, “Validating Possible Events WithAdditional Signals”, filed Apr. 6, 2018 which is incorporated herein inits entirety. This application claims the benefit of U.S. ProvisionalPatent Application Ser. No. 62/664,001, entitled, “Normalizing DifferentTypes Of Ingested Signals Into A Common Format”, filed Apr. 27, 2018.This application claims the benefit of U.S. Provisional PatentApplication Ser. No. 62/682,176 entitled “Detecting An Event FromMultiple Sources”, filed Jun. 8, 2018 which is incorporated herein inits entirety. This application claims the benefit of U.S. ProvisionalPatent Application Ser. No. 62/682,177 entitled “Detecting An Event FromMulti-Source Event Probability”, filed Jun. 8, 2018 which isincorporated herein in its entirety.

BACKGROUND 1. Background and Relevant Art

In general, techniques that attempt to automate event detection areunreliable. Some techniques have attempted to mine social media data todetect the planning of events and forecast when events might occur.However, events can occur without prior planning and/or may not bedetectable using social media data. Further, these techniques are notcapable of meaningfully processing available data nor are thesetechniques capable of differentiating false data (e.g., hoax socialmedia posts)

Other techniques use textual comparisons to compare textual content(e.g., keywords) in a data stream to event templates in a database. Iftext in a data stream matches keywords in an event template, the datastream is labeled as indicating an event.

Additional techniques use event specific sensors to detect specifiedtypes of event. For example, earthquake detectors can be used to detectearthquakes.

BRIEF SUMMARY

Examples extend to methods, systems, and computer program products forevent detection removing private information.

A privacy infrastructure spans other modules used for signal ingestion,event detection, and event notification. The privacy infrastructure canremove portions of private information in any of: raw signals,normalized signals, events, or event notifications prior to, during, orafter any of: signal ingestion, event detection, or event notification.

In general, signal ingestion modules ingest different types of rawstructured and unstructured signals on an ongoing basis. Raw signals caninclude private information. The signal ingestion modules normalize rawsignals into corresponding normalized signals having a Time, Location,Context (or “TLC”) format. The privacy infrastructure may remove none,some, or all of the private information from a raw signal prior tonormalization and/or during normalization and/or after normalization.Thus, a corresponding normalized signal may not include any privateinformation. Alternately, a corresponding normalized signal can includeat a least a subset of the private information included in a raw signal.

Time can be a time of origin or “event time” of a signal. Location canbe anywhere across a geographic area, such as, a country (e.g., theUnited States), a State, a defined area, an impacted area, an areadefined by a geo cell, an address, etc. Context indicates circumstancessurrounding formation/origination of a raw signal in terms thatfacilitate understanding and assessment of the raw signal. The contextof a raw signal can be derived from express as well as inferred signalfeatures of the raw signal.

Signal ingestion modules can include one or more single sourceclassifiers. A single source classifier can compute a single sourceprobability for a raw signal from (inferred and/or express) signalfeatures of the raw signal. A single source probability can reflect amathematical probability or approximation of a mathematical probabilityof an event (e.g., fire, accident, weather, police presence, etc.)actually occurring. A single source classifier can be configured tocompute a single source probability for a single event type or tocompute a single source probability for each of a plurality of differentevent types.

As such, single source probabilities and corresponding probabilitydetails can represent Context. Probability details can indicate (e.g.,can include a hash field indicating) a probability version and (expressand/or inferred) signal features considered in a signal sourceprobability calculation.

Concurrently with signal ingestion, an event detection infrastructureconsiders features of different combinations of normalized signals toattempt to identify events of interest to various parties. Based atleast in part on private information removal associated with signalingestion, features of normalized signals may or may not include privateinformation.

In one aspect, the event detection infrastructure can determine thatfeatures of multiple different signals collectively indicate an event ofinterest to one or more parties. Alternately, the event detectioninfrastructure can determine that features of one or more signalsindicate a possible event of interest to one or more parties. The eventdetection infrastructure then determines that features of one or moreother signals validate the possible event as an actual event of interestto the one or more parties. Signal features can include: signal type,signal source, signal content, signal time (T), signal location (L),signal context (C), other circumstances of signal creation, etc.

The event detection infrastructure can group signals having sufficienttemporal similarity and sufficient spatial similarity to one another ina signal sequence. In one aspect, any signal having sufficient temporaland spatial similarity to another signal can be added to a signalsequence.

In another aspect, a single source probability for a signal is computedfrom features of the signal. The single source probability can reflect amathematical probability or approximation of a mathematical probabilityof an event actually occurring. A signal having a signal sourceprobability above a threshold can be indicated as an “elevated” signal.Elevated signals can be used to initiate and/or can be added to a signalsequence. On the other hand, non-elevated signals may not be added to asignal sequence.

A multi-source probability can be computed from features of multiplenormalized signals, including normalized signals in a signal sequence.Features used to compute a multi-source probability can include multiplesingle source probabilities as well as other features derived frommultiple signals. The multi-source probability can reflect amathematical probability or approximation of a mathematical probabilityof an event actually occurring based on multiple normalized signals(e.g., a signal sequence). A multi-source probability can change overtime as normalized signals age or when a new normalized signal isreceived (e.g., added to a signal sequence).

The privacy infrastructure may remove none, some, or all of the privateinformation from a normalized signal prior to event detection and/orduring event detection and/or after event detection. Thus, a detectedevent may not include any private information. Alternately, a detectedevent can include at a least a subset of the private informationincluded in one or more normalized signals.

This summary is provided to introduce a selection of concepts in asimplified form that are further described below in the DetailedDescription. This Summary is not intended to identify key features oressential features of the claimed subject matter, nor is it intended tobe used as an aid in determining the scope of the claimed subjectmatter.

Additional features and advantages will be set forth in the descriptionwhich follows, and in part will be obvious from the description, or maybe learned by practice. The features and advantages may be realized andobtained by means of the instruments and combinations particularlypointed out in the appended claims. These and other features andadvantages will become more fully apparent from the followingdescription and appended claims, or may be learned by practice as setforth hereinafter.

BRIEF DESCRIPTION OF THE DRAWINGS

In order to describe the manner in which the above-recited and otheradvantages and features can be obtained, a more particular descriptionwill be rendered by reference to specific implementations thereof whichare illustrated in the appended drawings. Understanding that thesedrawings depict only some implementations and are not therefore to beconsidered to be limiting of its scope, implementations will bedescribed and explained with additional specificity and detail throughthe use of the accompanying drawings in which:

FIG. 1A illustrates an example computer architecture that facilitatesingesting signals.

FIG. 1B illustrates an example computer architecture that facilitatesdetecting events.

FIG. 1C illustrates the example computer architecture of FIG. 1B andincludes a privacy infrastructure.

FIG. 2 illustrates an example computer architecture that facilitatesdetecting an event from features derived from multiple signals.

FIG. 3 illustrates a flow chart of an example method for detecting anevent from features derived from multiple signals.

FIG. 4 illustrates an example computer architecture that facilitatesdetecting an event from features derived from multiple signals.

FIG. 5 illustrates a flow chart of an example method for detecting anevent from features derived from multiple signals

FIG. 6A illustrates an example computer architecture that facilitatesforming a signal sequence.

FIG. 6B illustrates an example computer architecture that facilitatesdetecting an event from features of a signal sequence.

FIG. 6C illustrates an example computer architecture that facilitatesdetecting an event from features of a signal sequence.

FIG. 6D illustrates an example computer architecture that facilitatesdetecting an event from a multisource probability.

FIG. 6E illustrates an example computer architecture that facilitatesdetecting an event from a multisource probability.

FIG. 7 illustrates a flow chart of an example method for forming asignal sequence.

FIG. 8 illustrates a flow of an example method for detecting an eventfrom a signal sequence.

DETAILED DESCRIPTION

Examples extend to methods, systems, and computer program products forevent detection removing private information.

Entities (e.g., parents, other family members, guardians, friends,teachers, social workers, first responders, hospitals, deliveryservices, media outlets, government entities, etc.) may desire to bemade aware of relevant events (e.g., fires, accidents, police presence,shootings, etc.) as close as possible to the events' occurrence (i.e.,as close as possible to “moment zero”). Different types of ingestedsignals (e.g., social media signals, web signals, and streaming signals)can be used to detect events. However, entities typically are not madeaware of an event until after a person observes the event (or the eventaftermath) and calls authorities.

Aspects of the invention normalize raw signals into a common format thatincludes Time, Location, and Context (or “TLC”) format. Per signal type,signal ingestion modules identify and/or infer a time, a location, and acontext associated with a signal. Different ingestion modules can beutilized/tailored to identify time, location, and context for differentsignal types. Time (T) can be a time of origin or “event time” of asignal. Location (L) can be anywhere across a geographic area, such as,a country (e.g., the United States), a State, a defined area, animpacted area, an area defined by a geo cell, an address, etc.

Context (C) indicates circumstances surrounding formation/origination ofa raw signal in terms that facilitate understanding and assessment ofthe raw signal. The context of a raw signal can be derived from expressas well as inferred signal features of the raw signal.

Signal ingestion modules can include one or more single sourceclassifiers. A single source classifier can compute a single sourceprobability for a raw signal from features of the raw signal. A singlesource probability can reflect a mathematical probability orapproximation of a mathematical probability (e.g., a percentage between0%-100%) of an event actually occurring. A single source classifier canbe configured to compute a single source probability for a single eventtype or to compute a single source probability for each of a pluralityof different event types. A single source classifier can compute asingle source probability using artificial intelligence, machinelearning, neural networks, logic, heuristics, etc.

As such, single source probabilities and corresponding probabilitydetails can represent Context. Probability details can indicate (e.g.,can include a hash field indicating) a probability version and (expressand/or inferred) signal features considered in a signal sourceprobability calculation.

Concurrently with signal ingestion, the event detection infrastructureconsiders features of different combinations of normalized signals toattempt to identify events of interest to various parties. Features canbe derived from an individual signal and/or from a group of signals.

For example, the event detection infrastructure can derive firstfeatures of a first normalized signal and can derive second features ofa second normalized signal. Individual signal features can include:signal type, signal source, signal content, signal time (T), signallocation (L), signal context (C), other circumstances of signalcreation, etc. The event detection infrastructure can detect an event ofinterest to one or more parties from the first features and the secondfeatures collectively.

Alternately, the event detection infrastructure can derive firstfeatures of each normalized signal included in a first one or morenormalized individual signals. The event detection infrastructure candetect a possible event of interest to one or more parties from thefirst features. The event detection infrastructure can derive secondfeatures of each normalized signal included in a second one or moreindividual signals. The event detection infrastructure can validate thepossible event of interest as an actual event of interest to the one ormore parties from the second features.

More specifically, the event detection infrastructure can use singlesource probabilities to detect and/or validate events. For example, theevent detection infrastructure can detect an event of interest to one ormore parties based on a single source probability of a first signal anda single source probability of second signal collectively. Alternately,the event detection infrastructure can detect a possible event ofinterest to one or more parties based on single source probabilities ofa first one or more signals. The event detection infrastructure canvalidate the possible event as an actual event of interest to one ormore parties based on single source probabilities of a second one ormore signals.

The event detection infrastructure can group normalized signals havingsufficient temporal similarity and/or sufficient spatial similarity toone another in a signal sequence. Temporal similarity of normalizedsignals can be determined by comparing Time (T) of the normalizedsignals. In one aspect, temporal similarity of a normalized signal andanother normalized signal is sufficient when the Time (T) of thenormalized signal is within a specified time of the Time (T) of theother normalized signal. A specified time can be virtually any timevalue, such as, for example, ten seconds, 30 seconds, one minute, twominutes, five minutes, ten minutes, 30 minutes, one hour, two hours,four hours, etc. A specified time can vary by detection type. Forexample, some event types (e.g., a fire) inherently last longer thanother types of events (e.g., a shooting). Specified times can betailored per detection type.

Spatial similarity of normalized signals can be determined by comparingLocation (L) of the normalized signals. In one aspect, spatialsimilarity of a normalized signal and another normalized signal issufficient when the Location (L) of the normalized signal is within aspecified distance of the Location (L) of the other normalized signal. Aspecified distance can be virtually any distance value, such as, forexample, a linear distance or radius (a number of feet, meters, miles,kilometers, etc.), within a specified number of geo cells of specifiedprecision, etc.

In one aspect, any normalized signal having sufficient temporal andspatial similarity to another normalized signal can be added to a signalsequence.

In another aspect, a single source probability for a signal is computedfrom features of the signal. The single source probability can reflect amathematical probability or approximation of a mathematical probabilityof an event actually occurring. A normalized signal having a signalsource probability above a threshold (e.g., greater than 4%) isindicated as an “elevated” signal. Elevated signals can be used toinitiate and/or can be added to a signal sequence. On the other hand,non-elevated signals may not be added to a signal sequence.

In one aspect, a first threshold is considered for signal sequenceinitiation and a second threshold is considered for adding additionalsignals to an existing signal sequence. A normalized signal having asingle source probability above the first threshold can be used toinitiate a signal sequence. After a signal sequence is initiated, anynormalized signal having a single source probability above the secondthreshold can be added to the signal sequence.

The first threshold can be greater than the second threshold. Forexample, the first threshold can be 4% or 5% and the second thresholdcan be 2% or 3%. Thus, signals that are not necessarily reliable enoughto initiate a signal sequence for an event can be considered forvalidating a possible event.

The event detection infrastructure can derive features of a signalgrouping, such as, a signal sequence. Features of a signal sequence caninclude features of signals in the signal sequence, including singlesource probabilities. Features of a signal sequence can also includepercentages, histograms, counts, durations, etc. derived from featuresof the signals included in the signal sequence. The event detectioninfrastructure can detect an event of interest to one or more partiesfrom signal sequence features.

The event detection infrastructure can include one or more multi-sourceclassifiers. A multi-source classifier can compute a multi-sourceprobability for a signal sequence from features of the signal sequence.The multi-source probability can reflect a mathematical probability orapproximation of a mathematical probability of an event (e.g., fire,accident, weather, police presence, etc.) actually occurring based onmultiple normalized signals (e.g., the signal sequence). Themulti-source probability can be assigned as an additional signalsequence feature. A multi-source classifier can be configured to computea multi-source probability for a single event type or to compute amulti-source probability for each of a plurality of different eventtypes. A multi-source classifier can compute a multi-source probabilityusing artificial intelligence, machine learning, neural networks, etc.

A multi-source probability can change over time as a signal sequenceages or when a new signal is added to a signal sequence. For example, amulti-source probability for a signal sequence can decay over time. Amulti-source probability for a signal sequence can also be recomputedwhen a new normalized signal is added to the signal sequence.

Multi-source probability decay can start after a specified period oftime (e.g., 3 minutes) and decay can occur in accordance with a defineddecay equation. In one aspect, a decay equation defines exponentialdecay of multi-source probabilities. Different decay rates can be usedfor different classes. Decay can be similar to radioactive decay, withdifferent tau (i.e., mean lifetime) values used to calculate the “halflife” of multi-source probability for different event types.

In some aspects, raw signals, normalized signals, events, or eventnotifications may include information (private information, userinformation, etc.) deemed inappropriate for further propagation. Aprivacy infrastructure can span other modules used for signal ingestion,event detection, and event notification. The privacy infrastructure canuse various mechanisms to prevent other modules from inappropriatelypropagating information. For example, the privacy infrastructure canremove or otherwise (temporarily or permanently) obscure information inany of: raw signals, normalized signals, events, or event notificationsprior to, during, or after any of: signal ingestion, event detection, orevent notification.

Thus, in some aspects, signals, including raw signals and/or normalizedsignals, include information deemed inappropriate for propagation. Theprivacy infrastructure can prevent the information from beinginappropriately propagated prior to, during, or after event detection.Information deemed inappropriate for propagation can include:confidential information, patient information, personally identifiableinformation (PII), personal health information (PHI), sensitive personalinformation (SPI), Payment Card Industry information (PCI), or otherprivate information, etc. (collectively, “user information”). Preventingpropagation of user information can include removing (e.g., scrubbing orstripping) the used information from ingested signals. Removal of userinformation prior to event detection allows events to be detected whilesignificantly increasing the privacy of any entities (e.g., individuals,businesses, etc.) referenced within the user information.

Data scrubbing or stripping can include the removal or permanentdestruction of certain information. As compared to dataanonymization—which may involve complex methods of obfuscation—datascrubbing eliminates information from the system. That is, scrubbed datais not merely aggregated in a manner that delinks it from other data,rather, scrubbed data is permanently eliminated.

In one aspect, user information is included in metadata within aningested raw signal. The privacy infrastructure can scrub the metadataprior to event detection and/or storage of the raw signal. For example,the privacy infrastructure can remove associated account informationfrom a social media post. The privacy infrastructure can also scrub (orotherwise remove) geocoded information included in an ingested rawsignal metadata.

The privacy infrastructure can actively attempt to identify userinformation in ingested raw signals and/or normalized signals. Forexample, the privacy infrastructure can parse attributes of an ingestedraw signal or normalized signal (including signal content) searching foruser information, such as, names, birthdates, physical characteristics,etc. The privacy infrastructure can scrub (or otherwise remove) anyidentified user information. For example, the privacy infrastructure canscrub PII included in a Computer Aided Dispatch (CAD) signal prior toutilizing the CAD signal for event detection.

Certain types of data may be inherently personal but are also used forevent detection. For example, in an emergency situation involving asuspected perpetrator, it may be appropriate (and even beneficial) topropagate identifying physical characteristics (or other userinformation) included in a signal to law enforcement. The physicalcharacteristics (or other user information) may remain with the signalbut the signal may be tagged to indicate the presence of the physicalcharacteristics. The privacy infrastructure may apply various securitymechanisms on signals tagged as including user information. Securitymechanisms can include segregating the tagged signal from other signals,applying encryption (or higher encryption) to the tagged signal,applying access controls (e.g., user-based, entity-based, purpose-based,time-based, warrant-based, etc.) to the tagged signal, or otherwiseimplementing rules regarding activities that are authorized/appropriatefor the tagged signal.

The privacy infrastructure can implement mechanisms to remove (orotherwise obscure) user information in accordance with one or more of:time-domain, expiry, or relevance-based rules. In one aspect, some userinformation may be appropriate to retain for a (e.g., relatively short)period of time. However, after the period of time, retention of the userinformation is no longer appropriate. The privacy infrastructure canimplement a time based rule to remove (or otherwise obscure) the userinformation when the time period expires. For example, in a healthcaresetting, it may be appropriate to know the identity of a person whotests positive for a communicable disease during the time in which thedisease is communicable to others. However, once the person is no longercontagious, the identity loses relevance, and the privacy infrastructurecan scrub the identify while maintaining other, non-user-identifiableinformation about the case.

In another aspect, the privacy infrastructure can retain information ona rolling window of time, for example 24 hours. For example, an accesslog for a resource (e.g., a building, a file, a computer, etc.) may beretained for a set period of time. Once the period of time has expiredfor a specific record, user information may be scrubbed from the accessrecord while maintaining non-identifiable information (e.g., anindication that the resource was accessed).

In further aspect, the privacy infrastructures can obscure userinformation at multiple layers to further protect a user's privacy evenduring a period of time in which their user information is retained. Forexample, a data provider may hide, modify, encrypt, hash, or otherwiseobscure user information prior to transfer into a system. The eventdetection algorithms previously described may be employed to identifysimilarities among signal characteristics even with the data within thesignals has been arbitrarily assigned. That is, event detection maystill be possible based on a uniform obfuscation of data prior toingestion within the system. In this way, user data within the eventdetection system may not be traceable back to a user without also havingaccess to the entirely separate system operated by the entity providingthe signal. This may improve user privacy.

To further improve user privacy, the privacy infrastructure can combinereceiving pre-obscured data from a signal provider with a process ofapplying an additional local obfuscation. For example, a signal sourcemay provide only a hashed version of a user identifier to the signalingestion system. The hashed version of the user identified may behashed according to a method unknown to the signal ingestion system(e.g., a private key, salt, or the like). Upon receipt, the privacyinfrastructure may apply an additional obfuscation (e.g., a secondprivate key, salt, or the like) to the received data using a methodunknown to the signal provider. As described, the privacy infrastructuremay then scrub, cancel, or delete any connection between the receiveddata (already obfuscated), and the secondary local modificationaccording to a time-window, expiry, relevance, etc., rules.

Implementations can comprise or utilize a special purpose orgeneral-purpose computer including computer hardware, such as, forexample, one or more computer and/or hardware processors (including anyof Central Processing Units (CPUs), and/or Graphical Processing Units(GPUs), general-purpose GPUs (GPGPUs), Field Programmable Gate Arrays(FPGAs), application specific integrated circuits (ASICs), TensorProcessing Units (TPUs)) and system memory, as discussed in greaterdetail below. Implementations also include physical and othercomputer-readable media for carrying or storing computer-executableinstructions and/or data structures. Such computer-readable media can beany available media that can be accessed by a general purpose or specialpurpose computer system. Computer-readable media that storecomputer-executable instructions are computer storage media (devices).Computer-readable media that carry computer-executable instructions aretransmission media. Thus, by way of example, and not limitation,implementations can comprise at least two distinctly different kinds ofcomputer-readable media: computer storage media (devices) andtransmission media.

Computer storage media (devices) includes RAM, ROM, EEPROM, CD-ROM,Solid State Drives (“SSDs”) (e.g., RAM-based or Flash-based), ShingledMagnetic Recording (“SMR”) devices, Flash memory, phase-change memory(“PCM”), other types of memory, other optical disk storage, magneticdisk storage or other magnetic storage devices, or any other mediumwhich can be used to store desired program code means in the form ofcomputer-executable instructions or data structures and which can beaccessed by a general purpose or special purpose computer.

In one aspect, one or more processors are configured to executeinstructions (e.g., computer-readable instructions, computer-executableinstructions, etc.) to perform any of a plurality of describedoperations. The one or more processors can access information fromsystem memory and/or store information in system memory. The one or moreprocessors can (e.g., automatically) transform information betweendifferent formats, such as, for example, between any of: raw signals,normalized signals, signal features, single source probabilities,possible events, events, signal sequences, signal sequence features,multisource probabilities, etc.

System memory can be coupled to the one or more processors and can storeinstructions (e.g., computer-readable instructions, computer-executableinstructions, etc.) executed by the one or more processors. The systemmemory can also be configured to store any of a plurality of other typesof data generated and/or transformed by the described components, suchas, for example, raw signals, normalized signals, signal features,single source probabilities, possible events, events, signal sequences,signal sequence features, multisource probabilities, etc.

A “network” is defined as one or more data links that enable thetransport of electronic data between computer systems and/or modulesand/or other electronic devices. When information is transferred orprovided over a network or another communications connection (eitherhardwired, wireless, or a combination of hardwired or wireless) to acomputer, the computer properly views the connection as a transmissionmedium. Transmissions media can include a network and/or data linkswhich can be used to carry desired program code means in the form ofcomputer-executable instructions or data structures and which can beaccessed by a general purpose or special purpose computer. Combinationsof the above should also be included within the scope ofcomputer-readable media.

Further, upon reaching various computer system components, program codemeans in the form of computer-executable instructions or data structurescan be transferred automatically from transmission media to computerstorage media (devices) (or vice versa). For example,computer-executable instructions or data structures received over anetwork or data link can be buffered in RAM within a network interfacemodule (e.g., a “NIC”), and then eventually transferred to computersystem RAM and/or to less volatile computer storage media (devices) at acomputer system. Thus, it should be understood that computer storagemedia (devices) can be included in computer system components that also(or even primarily) utilize transmission media.

Computer-executable instructions comprise, for example, instructions anddata which, in response to execution at a processor, cause a generalpurpose computer, special purpose computer, or special purposeprocessing device to perform a certain function or group of functions.The computer executable instructions may be, for example, binaries,intermediate format instructions such as assembly language, or evensource code. Although the subject matter has been described in languagespecific to structural features and/or methodological acts, it is to beunderstood that the subject matter defined in the appended claims is notnecessarily limited to the described features or acts described above.Rather, the described features and acts are disclosed as example formsof implementing the claims.

Those skilled in the art will appreciate that the described aspects maybe practiced in network computing environments with many types ofcomputer system configurations, including, personal computers, desktopcomputers, laptop computers, message processors, hand-held devices,wearable devices, multicore processor systems, multi-processor systems,microprocessor-based or programmable consumer electronics, network PCs,minicomputers, mainframe computers, mobile telephones, PDAs, tablets,routers, switches, and the like. The described aspects may also bepracticed in distributed system environments where local and remotecomputer systems, which are linked (either by hardwired data links,wireless data links, or by a combination of hardwired and wireless datalinks) through a network, both perform tasks. In a distributed systemenvironment, program modules may be located in both local and remotememory storage devices.

Further, where appropriate, functions described herein can be performedin one or more of: hardware, software, firmware, digital components, oranalog components. For example, one or more Field Programmable GateArrays (FPGAs) and/or one or more application specific integratedcircuits (ASICs) and/or one or more Tensor Processing Units (TPUs) canbe programmed to carry out one or more of the systems and proceduresdescribed herein. Hardware, software, firmware, digital components, oranalog components can be specifically tailor-designed for a higher speeddetection or artificial intelligence that can enable signal processing.In another example, computer code is configured for execution in one ormore processors, and may include hardware logic/electrical circuitrycontrolled by the computer code. These example devices are providedherein purposes of illustration, and are not intended to be limiting.Embodiments of the present disclosure may be implemented in furthertypes of devices.

The described aspects can also be implemented in cloud computingenvironments. In this description and the following claims, “cloudcomputing” is defined as a model for enabling on-demand network accessto a shared pool of configurable computing resources. For example, cloudcomputing can be employed in the marketplace to offer ubiquitous andconvenient on-demand access to the shared pool of configurable computingresources (e.g., compute resources, networking resources, and storageresources). The shared pool of configurable computing resources can beprovisioned via virtualization and released with low effort or serviceprovider interaction, and then scaled accordingly.

A cloud computing model can be composed of various characteristics suchas, for example, on-demand self-service, broad network access, resourcepooling, rapid elasticity, measured service, and so forth. A cloudcomputing model can also expose various service models, such as, forexample, Software as a Service (“SaaS”), Platform as a Service (“PaaS”),and Infrastructure as a Service (“IaaS”). A cloud computing model canalso be deployed using different deployment models such as privatecloud, community cloud, public cloud, hybrid cloud, and so forth. Inthis description and in the following claims, a “cloud computingenvironment” is an environment in which cloud computing is employed.

In this description and the following claims, a “geo cell” is defined asa piece of “cell” in a grid in any form. In one aspect, geo cells arearranged in a hierarchical structure. Cells of different geometries canbe used.

A “geohash” is an example of a “geo cell”.

In this description and the following claims, “geohash” is defined as ageocoding system which encodes a geographic location into a short stringof letters and digits. Geohash is a hierarchical spatial data structurewhich subdivides space into buckets of grid shape (e.g., a square).Geohashes offer properties like arbitrary precision and the possibilityof gradually removing characters from the end of the code to reduce itssize (and gradually lose precision). As a consequence of the gradualprecision degradation, nearby places will often (but not always) presentsimilar prefixes. The longer a shared prefix is, the closer the twoplaces are. geo cells can be used as a unique identifier and torepresent point data (e.g., in databases).

In one aspect, a “geohash” is used to refer to a string encoding of anarea or point on the Earth. The area or point on the Earth may berepresented (among other possible coordinate systems) as alatitude/longitude or Easting/Northing—the choice of which is dependenton the coordinate system chosen to represent an area or point on theEarth. geo cell can refer to an encoding of this area or point, wherethe geo cell may be a binary string comprised of 0s and 1s correspondingto the area or point, or a string comprised of 0s, 1s, and a ternarycharacter (such as X)—which is used to refer to a don't care character(0 or 1). A geo cell can also be represented as a string encoding of thearea or point, for example, one possible encoding is base-32, whereevery 5 binary characters are encoded as an ASCII character.

Depending on latitude, the size of an area defined at a specified geocell precision can vary. In one aspect, the areas defined at various geocell precisions are approximately:

GeoHash Length/Precision Width × Height 1 5,009.4 km × 4,992.6 km 21,252.3 km × 624.1 km 3 156.5 km × 156 km 4 39.1 km × 19.5 km 5 4.9 km ×4.9 km 6 1.2 km × 609.4 m 7 152.9 m × 152.4 m 8 38.2 m × 19 m 9 4.8 m ×4.8 m 10 1.2 m × 59.5 cm 11 14.9 cm × 14.9 cm 12 3.7 cm × 1.9 cm

Other geo cell geometries, such as, hexagonal tiling, triangular tiling,etc. are also possible. For example, the H3 geospatial indexing systemis a multi-precision hexagonal tiling of a sphere (such as the Earth)indexed with hierarchical linear indexes.

In another aspect, geo cells are a hierarchical decomposition of asphere (such as the Earth) into representations of regions or pointsbased a Hilbert curve (e.g., the S2 hierarchy or other hierarchies).Regions/points of the sphere can be projected into a cube and each faceof the cube includes a quad-tree where the sphere point is projectedinto. After that, transformations can be applied and the spacediscretized. The geo cells are then enumerated on a Hilbert Curve (aspace-filling curve that converts multiple dimensions into one dimensionand preserves the locality).

Due to the hierarchical nature of geo cells, any signal, event, entity,etc., associated with a geo cell of a specified precision is by defaultassociated with any less precise geo cells that contain the geo cell.For example, if a signal is associated with a geo cell of precision 9,the signal is by default also associated with corresponding geo cells ofprecisions 1, 2, 3, 4, 5, 6, 7, and 8. Similar mechanisms are applicableto other tiling and geo cell arrangements. For example, S2 has a celllevel hierarchy ranging from level zero (85,011,012 km²) to level 30(between 0.48 cm² to 0.96 cm²).

Signal Ingestion and Normalization

Signal ingestion modules ingest a variety of raw structured and/orunstructured signals on an on going basis and in essentially real-time.Raw signals can include social posts, live broadcasts, traffic camerafeeds, other camera feeds (e.g., from other public cameras or from CCTVcameras), listening device feeds, 911 calls, weather data, plannedevents, IoT device data, crowd sourced traffic and road information,satellite data, air quality sensor data, smart city sensor data, medicaldatabase data, public radio communication (e.g., among first respondersand/or dispatchers, between air traffic controllers and pilots), etc.The content of raw signals can include images, video, audio, text, etc.Generally, the signal ingestion modules normalize raw signals intonormalized signals, for example, having Time, Location, Context (or“TLC”) dimensions.

Different types of ingested signals (e.g., social media signals, websignals, and streaming signals) can be used to identify events.Different types of signals can include different data types anddifferent data formats. Data types can include audio, video, image, andtext. Different formats can include text in XML, text in JavaScriptObject Notation (JSON), text in RSS feed, plain text, video stream inDynamic Adaptive Streaming over HTTP (DASH), video stream in HTTP LiveStreaming (HLS), video stream in Real-Time Messaging Protocol (RTMP),etc.

Time (T) can be a time of origin or “event time” of a signal. In oneaspect, a raw signal includes a time stamp and the time stamp is used tocalculate Time (T). Location (L) can be anywhere across a geographicarea, such as, a country (e.g., the United States), a State, a definedarea, an impacted area, an area defined by a geo cell, an address, etc.

Context indicates circumstances surrounding formation/origination of araw signal in terms that facilitate understanding and assessment of theraw signal. The context of a raw signal can be derived from express aswell as inferred signal features of the raw signal.

Signal ingestion modules can include one or more single sourceclassifiers. A single source classifier can compute a single sourceprobability for a raw signal from features of the raw signal. A singlesource probability can reflect a mathematical probability orapproximation of a mathematical probability (e.g., a percentage between0%-100%) of an event (e.g., fire, accident, weather, police presence,shooting, etc.) actually occurring. A single source classifier can beconfigured to compute a single source probability for a single eventtype or to compute a single source probability for each of a pluralityof different event types. A single source classifier can compute asingle source probability using artificial intelligence, machinelearning, neural networks, logic, heuristics, etc.

As such, single source probabilities and corresponding probabilitydetails can represent Context (C). Probability details can indicate(e.g., can include a hash field indicating) a probability version and(express and/or inferred) signal features considered in a signal sourceprobability calculation.

Per signal type and signal content, different normalization modules canbe used to extract, derive, infer, etc. time, location, and contextfrom/for a raw signal. For example, one set of normalization modules canbe configured to extract/derive/infer time, location and contextfrom/for social signals. Another set of normalization modules can beconfigured to extract/derive/infer time, location and context from/forWeb signals. A further set of normalization modules can be configured toextract/derive/infer time, location and context from/for streamingsignals.

Normalization modules for extracting/deriving/inferring time, location,and context can include text processing modules, NLP modules, imageprocessing modules, video processing modules, etc. The modules can beused to extract/derive/infer data representative of time, location, andcontext for a signal. Time, Location, and Context for a signal can beextracted/derived/inferred from metadata and/or content of the signal.For example, NLP modules can analyze metadata and content of a soundclip to identify a time, location, and keywords (e.g., fire, shooter,etc.). An acoustic listener can also interpret the meaning of sounds ina sound clip (e.g., a gunshot, vehicle collision, etc.) and convert torelevant context. Live acoustic listeners can determine the distance anddirection of a sound. Similarly, image processing modules can analyzemetadata and pixels in an image to identify a time, location andkeywords (e.g., fire, shooter, etc.). Image processing modules can alsointerpret the meaning of parts of an image (e.g., a person holding agun, flames, a store logo, etc.) and convert to relevant context. Othermodules can perform similar operations for other types of contentincluding text and video.

Per signal type, each set of normalization modules can differ but mayinclude at least some similar modules or may share some common modules.For example, similar (or the same) image analysis modules can be used toextract named entities from social signal images and public camerafeeds. Likewise, similar (or the same) NLP modules can be used toextract named entities from social signal text and web text.

In some aspects, an ingested signal includes expressly defined Time,Location, and Context upon ingestion. In other aspects, an ingestedsignal lacks an expressly defined Location and/or an expressly definedContext upon ingestion. In these other aspects, Location and/or Contextcan be inferred from features of an ingested signal and/or throughreference to other data sources.

In further aspects, Time may not be included, or an included time maynot be given with high precision and is inferred. For example, a usermay post an image to a social network which had been taken someindeterminate time earlier.

Normalization modules can use named entity recognition and reference toa geo cell database to infer location. Named entities can be recognizedin text, images, video, audio, or sensor data. The recognized namedentities can be compared to named entities in geo cell entries. Matchesindicate possible signal origination in a geographic area defined by ageo cell.

As such, a normalized signal can include a Time, a Location, a Context(e.g., single source probabilities and probability details), a signaltype, a signal source, and content.

In one aspect, a frequentist inference technique is used to determine asingle source probability. A database maintains mappings betweendifferent combinations of signal properties and ratios of signalsturning into events (a probability) for that combination of signalproperties. The database is queried with the combination of signalproperties. The database returns a ratio of signals having the signalproperties turning into events. The ratio is assigned to the signal. Acombination of signal properties can include: (1) event class (e.g.,fire, accident, weather, etc.), (2) media type (e.g., text, image,audio, etc.), (3) source (e.g., twitter, traffic camera, first responderradio traffic, etc.), and (4) geo type (e.g., geo cell, region, ornon-geo).

In another aspect, a single source probability is calculated by singlesource classifiers (e.g., machine learning models, artificialintelligence, neural networks, etc.) that consider hundreds, thousands,or even more signal features of a signal. Single source classifiers canbe based on binary models and/or multi-class models.

Output from a single source classifier can be adjusted to moreaccurately represent a probability that a signal is a “true positive”.For example, 1,000 signals with classifier output of 0.9 may include 80%as true positives. Thus, single source probability can be adjusted to0.8 to more accurately reflect probability of the signal being a Trueevent. “Calibration” can be done in such a way that for any “calibratedscore” the score reflects the true probability of a true positiveoutcome.

FIG. 1A depicts computer architecture 100 that facilitates ingesting andnormalizing signals. As depicted, computer architecture 100 includessignal ingestion modules 101, social signals 171, Web signals 172, andstreaming signals 173. Signal ingestion modules 101, social signals 171,Web signals 172, and streaming signals 173 can be connected to (or bepart of) a network, such as, for example, a system bus, a Local AreaNetwork (“LAN”), a Wide Area Network (“WAN”), and even the Internet.Accordingly, signal ingestion modules 101, social signals 171, Websignals 172, and streaming signals 173 as well as any other connectedcomputer systems and their components can create and exchange messagerelated data (e.g., Internet Protocol (“IP”) datagrams and other higherlayer protocols that utilize IP datagrams, such as, Transmission ControlProtocol (“TCP”), Hypertext Transfer Protocol (“HTTP”), Simple MailTransfer Protocol (“SMTP”), Simple Object Access Protocol (SOAP), etc.or using other non-datagram protocols) over the network.

Signal ingestion module(s) 101 can ingest raw signals 121, includingsocial signals 171, web signals 172, and streaming signals 173 (e.g.,social posts, traffic camera feeds, other camera feeds, listening devicefeeds, 911 calls, weather data, planned events, IoT device data, crowdsourced traffic and road information, satellite data, air quality sensordata, smart city sensor data, public radio communication, etc.) on goingbasis and in essentially real-time. Signal ingestion module(s) 101include social content ingestion modules 174, web content ingestionmodules 176, stream content ingestion modules 177, and signal formatter180. Signal formatter 180 further includes social signal processingmodule 181, web signal processing module 182, and stream signalprocessing modules 183.

For each type of signal, a corresponding ingestion module and signalprocessing module can interoperate to normalize the signal into a Time,Location, Context (TLC) dimensions. For example, social contentingestion modules 174 and social signal processing module 181 caninteroperate to normalize social signals 171 into TLC dimensions.Similarly, web content ingestion modules 176 and web signal processingmodule 182 can interoperate to normalize web signals 172 into TLCdimensions. Likewise, stream content ingestion modules 177 and streamsignal processing modules 183 can interoperate to normalize streamingsignals 173 into TLC dimensions.

In one aspect, signal content exceeding specified size requirements(e.g., audio or video) is cached upon ingestion. Signal ingestionmodules 101 include a URL or other identifier to the cached contentwithin the context for the signal.

Signal formatter 180 can include one or more single signal classifiersclassifying ingested signals. The one or more single signal classifierscan assign one or more signal source probabilities (e.g., between0%-100%) to each ingested signal. Each single source probability is aprobability of the ingested signal being a particular category of event(e.g., fire, weather, medical, accident, police presence, etc.).Ingested signals with a sufficient single source probability (e.g., >=to4%) are considered “elevated” signals.

In one aspect, signal formatter 180 includes modules for determining asingle source probability as a ratio of signals turning into eventsbased on the following signal properties: (1) event class (e.g., fire,accident, weather, etc.), (2) media type (e.g., text, image, audio,etc.), (3) source (e.g., twitter, traffic camera, first responder radiotraffic, etc.), and (4) geo type (e.g., geo cell, region, or non-geo).Probabilities can be stored in a lookup table for different combinationsof the signal properties. Features of a signal can be derived and usedto query the lookup table. For example, the lookup table can be queriedwith terms (“accident”, “image”, “twitter”, “region”). The correspondingratio (probability) can be returned from the table.

In another aspect, signal formatter 180 includes a plurality of singlesource classifiers (e.g., artificial intelligence, machine learningmodules, neural networks, etc.). Each single source classifier canconsider hundreds, thousands, or even more signal features of a signal.Signal features of a signal can be derived and submitted to a signalsource classifier. The single source classifier can return a probabilitythat a signal indicates a type of event. Single source classifiers canbe binary classifiers or multi-source classifiers.

Raw classifier output can be adjusted to more accurately represent aprobability that a signal is a “true positive”. For example, 1,000signals whose raw classifier output is 0.9 may include 80% as truepositives. Thus, probability can be adjusted to 0.8 to reflect trueprobability of the signal being a true positive. “Calibration” can bedone in such a way that for any “calibrated score” this score reflectsthe true probability of a true positive outcome.

Signal ingestion modules 101 can insert one or more single sourceprobabilities and corresponding probability details into a normalizedsignal to represent a Context (C) dimension. Probability details canindicate a probabilistic model and features used to calculate theprobability. In one aspect, a probabilistic model and signal featuresare contained in a hash field.

Signal ingestion modules 101 can access “transdimensionality”transformations structured and defined in a “TLC” dimensional model.Signal ingestion modules 101 can apply the “transdimensionality”transformations to generic source data in raw signals to re-encode thesource data into normalized data having lower dimensionality.Dimensionality reduction can include reducing dimensionality of a rawsignal to a normalized signal including a T vector, an L vector, and a Cvector. At lower dimensionality, the complexity of measuring “distances”between dimensional vectors across different normalized signals isreduced.

Thus in general, any of the received raw signals can be normalized intonormalized signals including Time, Location, Context, signal source,signal type, and content. Signal ingestion modules 101 can sendnormalized signals 122 to event detection infrastructure 103.

For example, signal ingestion modules 101 can send normalized signal122A, including time 123A, location 124A, context 126A, content 127A,type 128A, and source 129A to event detection infrastructure 103.Similarly, signal ingestion modules 101 can send normalized signal 122B,including time 123B, location 124B, context 126B, content 127B, type128B, and source 129B to event detection infrastructure 103. Signalingestion modules 101 can also send normalized signal 122C (depicted inFIG. 6), including time 123C, location 124C, context 126C, content 127C,type 128C, and source 129C to event detection infrastructure 103.

Event Detection

FIG. 1B depicts part of computer architecture 100 that facilitatesdetecting events. As depicted, computer architecture 100 includes geocell database 111 and even notification 116. Geo cell database 111 andevent notification 116 can be connected to (or be part of) a networkwith signal ingestion modules 101 and event detection infrastructure103. As such, geo cell database 111 and even notification 116 can createand exchange message related data over the network.

As described, in general, on an ongoing basis, concurrently with signalingestion (and also essentially in real-time), event detectioninfrastructure 103 detects different categories of (planned andunplanned) events (e.g., fire, police response, mass shooting, trafficaccident, natural disaster, storm, active shooter, concerts, protests,etc.) in different locations (e.g., anywhere across a geographic area,such as, the United States, a State, a defined area, an impacted area,an area defined by a geo cell, an address, etc.), at different timesfrom Time, Location, and Context dimensions included in normalizedsignals. Since, normalized signals are normalized to include Time,Location, and Context dimensions, event detection infrastructure 103 canhandle normalized signals in a more uniform manner increasing eventdetection efficiency and effectiveness.

Event detection infrastructure 103 can also determine an eventtruthfulness, event severity, and an associated geo cell. In one aspect,a Context dimension in a normalized signal increases the efficiency andeffectiveness of determining truthfulness, severity, and an associatedgeo cell.

Generally, an event truthfulness indicates how likely a detected eventis actually an event (vs. a hoax, fake, misinterpreted, etc.).Truthfulness can range from less likely to be true to more likely to betrue. In one aspect, truthfulness is represented as a numerical value,such as, for example, from 1 (less truthful) to 10 (more truthful) or aspercentage value in a percentage range, such as, for example, from 0%(less truthful) to 100% (more truthful). Other truthfulnessrepresentations are also possible. For example, truthfulness can be adimension or represented by one or more vectors.

Generally, an event severity indicates how severe an event is (e.g.,what degree of badness, what degree of damage, etc. is associated withthe event). Severity can range from less severe (e.g., a single vehicleaccident without injuries) to more severe (e.g., multi vehicle accidentwith multiple injuries and a possible fatality). As another example, ashooting event can also range from less severe (e.g., one victim withoutlife threatening injuries) to more severe (e.g., multiple injuries andmultiple fatalities). In one aspect, severity is represented as anumerical value, such as, for example, from 1 (less severe) to 5 (moresevere). Other severity representations are also possible. For example,severity can be a dimension or represented by one or more vectors.

In general, event detection infrastructure 103 can include a geodetermination module including modules for processing different kinds ofcontent including location, time, context, text, images, audio, andvideo into search terms. The geo determination module can query a geocell database with search terms formulated from normalized signalcontent. The geo cell database can return any geo cells having matchingsupplemental information. For example, if a search term includes astreet name, a subset of one or more geo cells including the street namein supplemental information can be returned to the event detectioninfrastructure.

Event detection infrastructure 103 can use the subset of geo cells todetermine a geo cell associated with an event location. Eventsassociated with a geo cell can be stored back into an entry for the geocell in the geo cell database. Thus, over time an historical progressionof events within a geo cell can be accumulated.

As such, event detection infrastructure 103 can assign an event ID, anevent time, an event location, an event category, an event description,an event truthfulness, and an event severity to each detected event.Detected events can be sent to relevant entities, including to mobiledevices, to computer systems, to APIs, to data storage, etc.

Event detection infrastructure 103 detects events from informationcontained in normalized signals 122. Event detection infrastructure 103can detect an event from a single normalized signal 122 or from multiplenormalized signals 122. In one aspect, event detection infrastructure103 detects an event based on information contained in one or morenormalized signals 122. In another aspect, event detectioninfrastructure 103 detects a possible event based on informationcontained in one or more normalized signals 122. Event detectioninfrastructure 103 then validates the potential event as an event basedon information contained in one or more other normalized signals 122.

As depicted, event detection infrastructure 103 includes geodetermination module 104, categorization module 106, truthfulnessdetermination module 107, and severity determination module 108.

Geo determination module 104 can include NLP modules, image analysismodules, etc. for identifying location information from a normalizedsignal. Geo determination module 104 can formulate (e.g., location)search terms 141 by using NLP modules to process audio, using imageanalysis modules to process images, etc. Search terms can include streetaddresses, building names, landmark names, location names, school names,image fingerprints, etc. Event detection infrastructure 103 can use aURL or identifier to access cached content when appropriate.

Categorization module 106 can categorize a detected event into one of aplurality of different categories (e.g., fire, police response, massshooting, traffic accident, natural disaster, storm, active shooter,concerts, protests, etc.) based on the content of normalized signalsused to detect and/or otherwise related to an event.

Truthfulness determination module 107 can determine the truthfulness ofa detected event based on one or more of: source, type, age, and contentof normalized signals used to detect and/or otherwise related to theevent. Some signal types may be inherently more reliable than othersignal types. For example, video from a live traffic camera feed may bemore reliable than text in a social media post. Some signal sources maybe inherently more reliable than others. For example, a social mediaaccount of a government agency may be more reliable than a social mediaaccount of an individual. The reliability of a signal can decay overtime.

Severity determination module 108 can determine the severity of adetected event based on or more of: location, content (e.g., dispatchcodes, keywords, etc.), and volume of normalized signals used to detectand/or otherwise related to an event. Events at some locations may beinherently more severe than events at other locations. For example, anevent at a hospital is potentially more severe than the same event at anabandoned warehouse. Event category can also be considered whendetermining severity. For example, an event categorized as a “Shooting”may be inherently more severe than an event categorized as “PolicePresence” since a shooting implies that someone has been injured.

Geo cell database 111 includes a plurality of geo cell entries. Each geocell entry is included in a geo cell defining an area and correspondingsupplemental information about things included in the defined area. Thecorresponding supplemental information can include latitude/longitude,street names in the area defined by and/or beyond the geo cell,businesses in the area defined by the geo cell, other Areas of Interest(AOIs) (e.g., event venues, such as, arenas, stadiums, theaters, concerthalls, etc.) in the area defined by the geo cell, image fingerprintsderived from images captured in the area defined by the geo cell, andprior events that have occurred in the area defined by the geo cell. Forexample, geo cell entry 151 includes geo cell 152, lat/lon 153, streets154, businesses 155, AOIs 156, and prior events 157. Each event in priorevents 157 can include a location (e.g., a street address), a time(event occurrence time), an event category, an event truthfulness, anevent severity, and an event description. Similarly, geo cell entry 161includes geo cell 162, lat/lon 163, streets 164, businesses 165, AOIs166, and prior events 167. Each event in prior events 167 can include alocation (e.g., a street address), a time (event occurrence time), anevent category, an event truthfulness, an event severity, and an eventdescription.

Other geo cell entries can include the same or different (more or less)supplemental information, for example, depending on infrastructuredensity in an area. For example, a geo cell entry for an urban area cancontain more diverse supplemental information than a geo cell entry foran agricultural area (e.g., in an empty field).

Geo cell database 111 can store geo cell entries in a hierarchicalarrangement based on geo cell precision. As such, geo cell informationof more precise geo cells is included in the geo cell information forany less precise geo cells that include the more precise geo cell.

Geo determination module 104 can query geo cell database 111 with searchterms 141. Geo cell database 111 can identify any geo cells havingsupplemental information that matches search terms 141. For example, ifsearch terms 141 include a street address and a business name, geo celldatabase 111 can identify geo cells having the street name and businessname in the area defined by the geo cell. Geo cell database 111 canreturn any identified geo cells to geo determination module 104 in geocell subset 142.

Geo determination module can use geo cell subset 142 to determine thelocation of event 135 and/or a geo cell associated with event 135. Asdepicted, event 135 includes event ID 132, time 133, location 137,description 136, category 137, truthfulness 138, and severity 139.

Event detection infrastructure 103 can also determine that event 135occurred in an area defined by geo cell 162 (e.g., a geohash havingprecision of level 7 or level 9). For example, event detectioninfrastructure 103 can determine that location 134 is in the areadefined by geo cell 162. As such, event detection infrastructure 103 canstore event 135 in events 167 (i.e., historical events that haveoccurred in the area defined by geo cell 162).

Event detection infrastructure 103 can also send event 135 to eventnotification module 116. Event notification module 116 can notify one ormore entities about event 135.

Privacy Infrastructure

Referring now to FIG. 1C, privacy infrastructure 102 spans signalingestion modules 102, event detection infrastructure 103, and eventnotification 116. Privacy infrastructure 102 can implement any describeduser information privacy operations (e.g., removal, scrubbing,stripping, obfuscation, access rule application, etc.) within and/orthrough interoperation with one or more of ingestion modules 102, eventdetection infrastructure 103, and event notification 116.

As such, privacy infrastructure 102 may be configured to apply privacyrules, including data scrubbing, during the process of signal ingestion,event detection, and/or event notification. For example, whilenormalizing one of raw signals 121, privacy infrastructure 102 may beused to alter an aspect of the raw signal 121 relating to the Timedimension. One way this may be done is to round a time-stamp to thenearest second, minute, hour, etc. By reducing precision associated witha timestamp, privacy can be increased (e.g., by making it impossible todirectly link a signal aspect to the original aspect). However, thereduced time-stamp precision may cause little, if any, correspondingreduction in identifying an event based on the raw signal 121. Dependingon signal type, the level of precision may be more or less important toevent detection and may also be more or less helpful in eliminating userinformation. Thus, heuristics may be applied to different signal typesto determine relevancy of precision and/or relevancy of reducing userinformation footprint.

Privacy infrastructure 102 can also modify location informationassociated with a signal in a manner that irreversibly increases privacywith little, if any, reduction in event detection capabilities. Forexample, privacy infrastructure 102 can reduce or eliminate GPSprecision. Depending on the signal type, location information may notbenefit event detection. In such cases, signal specific rules may beimplemented to reduce or eliminate the unnecessary information prior toevent detection processing.

Privacy infrastructure 102 can also modify different types of contextualinformation to improve privacy. For example, vehicle telematicsinformation may include metadata identifying a make/model of a vehicle.However, if such telematic information is used to detect events, suchas, car accidents, the exact make/model of the automobile may not benecessary and can be eliminated from the signal during normalization. Inanother example, content from a social media post may be scrubbed toeliminate extraneous information. This may be accomplished throughnatural language processing and configured to eliminate content such asnames, locations, or other sensitive information.

As described, privacy infrastructure 102 can perform privacy actionsduring signal ingestion including applying a layer of obfuscation alongwith an indication of how and/or when any reversible linkage should bedestroyed, scrubbed, or otherwise removed from the system. For example,a user ID field may be hashed using a customized salt during signalingestion and marked with time-domain expiry information. The data thenproceeds through the system, for example, to event detection, in itssalted form. While within the time-domain, the customized salt may beavailable if it becomes necessary to ascertain the pre-obfuscated data.However, once the time-domain has expired, the custom salt may bedestroyed. Destroying the custom salt essentially permanently andirreversibly obscures the data element (at least to the degree providedby hash/encryption algorithm chosen for the obfuscation) fromtransformation back to its pre-salted form.

Privacy infrastructure 102 can also implement/apply privacy operationsthrough interaction and/or interoperation with event detectioninfrastructure 103 (e.g., prior to, during, or after event detection).Applying obfuscation during event detection may include applyingadditional techniques that are appropriate when different portions ofdata (possibly from different sources) are to be aggregated. In oneexample, when one data signal is determined to be related to an eventthat includes data from other data signals, permissions for eachrespective data signal may be determined. Based upon those permissions,one or more data elements from within one or more of the event relatedsignals may be hidden, scrubbed, or otherwise obfuscated.

For example, if an event is detected using a first signal from a firstentity and a second signal from a second entity, permissions may beconsulted to determine whether the first entity has permission to seeall of the data fields provided within the signal of the second entity.When the first entity does not have permission for one or more fields,those fields may be dropped or obscured. In some scenarios, this mayresult in a failed event detection, or an event detection with a lowerrelative reliability. Reducing reliability may be appropriate, or evendesired, to increase user privacy. In such scenarios, additional signalscan be used to corroborate the event detection without reference to userinformation contained in the first or second signals.

Generally, event detection without refence to user information may makeevent detection less efficient and/or effective (e.g., more signals arerequired, more processing time is required, etc.). However, thetrade-off between privacy and additional signal processing may beappropriate and is often desirable. Further, the ability to detectevents using privacy-aware methods increases data security.

Privacy infrastructure 102 can also implement/apply privacy operationsthrough interaction and/or interoperation with event notification 116(e.g., prior to, during, or after event notification). Once an event,such as event 135, has been identified, a notification may be generatedin a way that maintains user privacy. In one aspect, useridentifications may be removed from a notification altogether where thenotification can be determined to not need such identifiers. This may bedetermined based on the identity of the recipient and notifications ofthe same event customized based on the recipient. For example, if anevent is a fire, a police officer may receive a notification of the fireevent along with a description of a suspected arsonist. A fire fighter,on the other hand, may only receive notification of the occurrence ofthe fire. In this way, the use of personal information is limited inscope according to relevance to the recipient.

In another example, privacy infrastructure 102 and/or event notification116 may employ dynamic notifications that apply rules to userinformation that may change over time or according to context. Forexample, a user may access a dynamic notification during a designatedtime-window in which a suspect description is available. At a latertime, the user may access the same dynamic notification but be unable tosee the suspect descriptors. This change in access may be based on atime-domain (e.g., available for 24 hours) or a relevance domain (e.g.,removed if an updated description is received, a suspect is arrested,etc.)

A dynamic notification may also be implemented such that userinformation is always initially obscured but may be available uponrequest and authentication by a user. This process may rely onuser-based, role-based, or other dynamic or static heuristics. It isappreciated that any combination of these techniques may be implemented.

FIG. 2 illustrates an example computer architecture 200 that facilitatesdetecting an event from features derived from multiple signals. Asdepicted, computer architecture 200 further includes event detectioninfrastructure 103. Event infrastructure 103 can be connected to (or bepart of) a network with signal ingestion modules 101. As such, signalingestion modules 101 and event detection infrastructure 103 can createand exchange message related data over the network.

As depicted, event detection infrastructure 103 further includesevaluation module 206. Evaluation module 206 is configured to determineif features of a plurality of normalized signals collectively indicatean event. Evaluation module 206 can detect (or not detect) an eventbased on one or more features of one normalized signal in combinationwith one or more features of another normalized signal.

As further depicted in FIG. 2, privacy infrastructure 102 can spanmodules that facilitate event detection, including evaluation module206. Privacy infrastructure 102 can implement and/or apply any describedprivacy operations, such as, user information removal, user informationscrubbing, user information stripping, user information obfuscation,access rule application, etc., at and/or through interoperation withevaluation module 206.

FIG. 3 illustrates a flow chart of an example method 300 for detectingan event from features derived from multiple signals. Method 300 will bedescribed with respect to the components and data in computerarchitecture 200.

Method 300 includes receiving a first signal (301). For example, eventdetection infrastructure 103 can receive normalized signal 122B. Method300 includes deriving first one or more features of the first signal(302). For example, event detection infrastructure 103 can derivefeatures 201 of normalized signal 122B. Features 201 can include and/orbe derived from time 123B, location 124B, context 126B, content 127B,type 128B, and source 129B. Event detection infrastructure 103 can alsoderive features 201 from one or more single source probabilitiesassigned to normalized signal 122B.

Method 300 includes determining that the first one or more features donot satisfy conditions to be identified as an event (303). For example,evaluation module 206 can determine that features 201 do not satisfyconditions to be identified as an event. That is, the one or morefeatures of normalized signal 122B do not alone provide sufficientevidence of an event. In one aspect, one or more single sourceprobabilities assigned to normalized signal 122B do not satisfyprobability thresholds in thresholds 226.

Method 300 includes receiving a second signal (304). For example, eventdetection infrastructure 103 can receive normalized signal 122A. Method300 includes deriving second one or more features of the second signal(305). For example, event detection infrastructure 103 can derivefeatures 202 of normalized signal 122A. Features 202 can include and/orbe derived from time 123A, location 124A, context 126A, content 127A,type 128A, and source 129A. Event detection infrastructure 103 can alsoderive features 202 from one or more single source probabilitiesassigned to normalized signal 122A.

Method 300 includes aggregating the first one or more features with thesecond one or more features into aggregated features (306). For example,evaluation module 206 can aggregate features 201 with features 202 intoaggregated features 203. Evaluation module 206 can include an algorithmthat defines and aggregates individual contributions of different signalfeatures into aggregated features. Aggregating features 201 and 202 caninclude aggregating a single source probability assigned to normalizedsignal 122B for an event type with a signal source probability assignedto normalized signal 122A for the event type into a multisourceprobability for the event type.

Method 300 includes detecting an event from the aggregated features(307). For example, evaluation module 206 can determine that aggregatedfeatures 203 satisfy conditions to be detected as an event. Evaluationmodule 206 can detect event 224, such as, for example, a fire, anaccident, a shooting, a protest, etc. based on satisfaction of theconditions.

In one aspect, conditions for event identification can be included inthresholds 226. Conditions can include threshold probabilities per eventtype. When a probability exceeds a threshold probability, evaluationmodule 106 can detect an event. A probability can be a single signalprobability or a multisource (aggregated) probability. As such,evaluation module 206 can detect an event based on a multisourceprobability exceeding a probability threshold in thresholds 226.

In some aspects, method 300 also includes one or more privacyoperations. Privacy infrastructure 102 can implement and/or apply anydescribed privacy operations, such as, user information removal, userinformation scrubbing, user information stripping, user informationobfuscation, access rule application, etc., prior to, during, or afterany of: 301, 302, 303, 304, 305, 306, or 307.

FIG. 4 illustrates an example computer architecture 400 that facilitatesdetecting an event from features derived from multiple signals. Asdepicted, event detection infrastructure 103 further includes evaluationmodule 206 and validator 204. Evaluation module 206 is configured todetermine if features of a plurality of normalized signals indicate apossible event. Evaluation module 206 can detect (or not detect) apossible event based on one or more features of a normalized signal.Validator 204 is configured to validate (or not validate) a possibleevent as an actual event based on one or more features of anothernormalized signal.

As depicted in FIG. 4, privacy infrastructure 102 can span modules thatfacilitate event detection, including validation 204 and evaluationmodule 206. Privacy infrastructure 102 can implement and/or apply anydescribed privacy operations, such as, user information removal, userinformation scrubbing, user information stripping, user informationobfuscation, access rule application, etc., at and/or throughinteroperation with any of: validation 204 or evaluation module 206.

FIG. 5 illustrates a flow chart of an example method 500 for detectingan event from features derived from multiple signals. Method 500 will bedescribed with respect to the components and data in computerarchitecture 400.

Method 500 includes receiving a first signal (501). For example, eventdetection infrastructure 103 can receive normalized signal 122B. Method500 includes deriving first one or more features of the first signal(502). For example, event detection infrastructure 103 can derivefeatures 401 of normalized signal 122B. Features 401 can include and/orbe derived from time 123B, location 124B, context 126B, content 127B,type 128B, and source 129B. Event detection infrastructure 103 can alsoderive features 401 from one or more single source probabilitiesassigned to normalized signal 122B.

Method 500 includes detecting a possible event from the first one ormore features (503). For example, evaluation module 206 can detectpossible event 423 from features 401. Based on features 401, eventdetection infrastructure 103 can determine that the evidence in features401 is not confirming of an event but is sufficient to warrant furtherinvestigation of an event type. In one aspect, a single sourceprobability assigned to normalized signal 122B for an event type doesnot satisfy a probability threshold for full event detection but doessatisfy a probability threshold for further investigation.

Method 500 includes receiving a second signal (504). For example, eventdetection infrastructure 103 can receive normalized signal 122A. Method500 includes deriving second one or more features of the second signal(505). For example, event detection infrastructure 103 can derivefeatures 402 of normalized signal 122A. Features 402 can include and/orbe derived from time 123A, location 124A, context 126A, content 127A,type 128A, and source 129A. Event detection infrastructure 103 can alsoderive features 402 from one or more single source probabilitiesassigned to normalized signal 122A.

Method 500 includes validating the possible event as an actual eventbased on the second one or more features (506). For example, validator204 can determine that possible event 423 in combination with features402 provide sufficient evidence of an actual event. Validator 204 canvalidate possible event 423 as event 424 based on features 402. In oneaspect, validator 204 considers a single source probability assigned tonormalized signal 122B in view of a single source probability assignedto normalized signal 122B. Validator 204 determines that the signalsource probabilities, when considered collectively satisfy a probabilitythreshold for detecting an event.

In some aspects, method 500 also includes one or more privacyoperations. Privacy infrastructure 102 can implement and/or apply anydescribed privacy operations, such as, user information removal, userinformation scrubbing, user information stripping, user informationobfuscation, access rule application, etc., prior to, during, or afterany of: 501, 502, 503, 504, 505, or 506.

Forming and Detecting Events from Signal Groupings

In general, a plurality of normalized (e.g., TLC) signals can be groupedtogether in a signal group based on spatial similarity and/or temporalsimilarity among the plurality of normalized signals and/orcorresponding raw (non-normalized) signals. A feature extractor canderive features (e.g., percentages, counts, durations, histograms, etc.)of the signal group from the plurality of normalized signals. An eventdetector can attempt to detect events from signal group features.

In one aspect, a plurality of normalized (e.g., TLC) signals areincluded in a signal sequence. Turning to FIG. 6A, event detectioninfrastructure 103 can include sequence manager 604, feature extractor609, and sequence storage 613. Sequence manager 604 further includestime comparator 606, location comparator 607, and deduplicator 608.

Time comparator 606 is configured to determine temporal similaritybetween a normalized signal and a signal sequence. Time comparator 606can compare a signal time of a received normalized signal to a timeassociated with existing signal sequences (e.g., the time of the firstsignal in the signal sequence). Temporal similarity can be defined by aspecified time period, such as, for example, 5 minutes, 10 minutes, 20minutes, 30 minutes, etc. When a normalized signal is received withinthe specified time period of a time associated with a signal sequence,the normalized signal can be considered temporally similar to signalsequence.

Likewise, location comparator 607 is configured to determine spatialsimilarity between a normalized signal and a signal sequence. Locationcomparator 607 can compare a signal location of a received normalizedsignal to a location associated with existing signal sequences (e.g.,the location of the first signal in the signal sequence). Spatialsimilarity can be defined by a geographic area, such as, for example, adistance radius (e.g., meters, miles, etc.), a number of geo cells of aspecified precision, an Area of Interest (AoI), etc. When a normalizedsignal is received within the geographic area associated with a signalsequence, the normalized signal can be considered spatially similar tosignal sequence.

Deduplicator 608 is configured to determine if a signal is a duplicateof a previously received signal. Deduplicator 608 can detect a duplicatewhen a normalized signal includes content (e.g., text, image, etc.) thatis essentially identical to previously received content (previouslyreceived text, a previously received image, etc.). Deduplicator 608 canalso detect a duplicate when a normalized signal is a repost orrebroadcast of a previously received normalized signal. Sequence manager604 can ignore duplicate normalized signals.

Sequence manager 604 can include a signal having sufficient temporal andspatial similarity to a signal sequence (and that is not a duplicate) inthat signal sequence. Sequence manager 604 can include a signal thatlacks sufficient temporal and/or spatial similarity to any signalsequence (and that is not a duplicate) in a new signal sequence. Asignal can be encoded into a signal sequence as a vector using any of avariety of algorithms including recurrent neural networks (RNN) (LongShort Term Memory (LSTM) networks and Gated Recurrent Units (GRUs)),convolutional neural networks, or other algorithms.

Feature extractor 609 is configured to derive features of a signalsequence from signal data contained in the signal sequence. Derivedfeatures can include a percentage of normalized signals per geohash, acount of signals per time of day (hours:minutes), a signal gap histogramindicating a history of signal gap lengths (e.g., with bins for 1 s, 5s, 10 s, 1 m, 5 m, 10 m, 30 m), a count of signals per signal source,model output histograms indicating model scores, a sequent duration,count of signals per signal type, a number of unique users that postedsocial content, etc. However, feature extractor 609 can derive a varietyof other features as well. Additionally, the described features can beof different shapes to include more or less information, such as, forexample, gap lengths, provider signal counts, histogram bins, sequencedurations, category counts, etc.

As depicted in FIG. 6A, privacy infrastructure 102 can span modules thatfacilitate event detection, including modules of sequence manager 604(including time comparator 606, location comparator 607, anddeduplicator 608) and feature extractor 609. Privacy infrastructure 102can implement and/or apply any described privacy operations, such as,user information removal, user information scrubbing, user informationstripping, user information obfuscation, access rule application, etc.,at and/or through interoperation with any of: sequence manager 604, timecomparator 606, location comparator 607, deduplicator 608, and featureextractor 609.

FIG. 7 illustrates a flow chart of an example method 700 for forming asignal sequence. Method 700 will be described with respect to thecomponents and data in computer architecture 600.

Method 700 includes receiving a normalized signal including time,location, context, and content (701). For example, sequence manager 604can receive normalized signal 622A. Method 700 includes forming a signalsequence including the normalized signal (702). For example, timecomparator 606 can compare time 623A to times associated with existingsignal sequences. Similarly, location comparator 607 can comparelocation 124A to locations associated with existing signal sequences.Time comparator 606 and/or location comparator 607 can determine thatnormalized signal 122A lacks sufficient temporal similarity and/or lackssufficient spatial similarity respectively to existing signal sequences.Deduplicator 608 can determine that normalized signal 122A is not aduplicate normalized signal. As such, sequence manager 604 can formsignal sequence 631, include normalized signal 122A in signal sequence631, and store signal sequence 631 in sequence storage 613.

Method 700 includes receiving another normalized signal includinganother time, another location, another context, and other content(703). For example, sequence manager 604 can receive normalized signal622B.

Method 700 includes determining that there is sufficient temporalsimilarity between the time and the other time (704). For example, timecomparator 606 can compare time 123B to time 123A. Time comparator 606can determine that time 123B is sufficiently similar to time 123A.Method 700 includes determining that there is sufficient spatialsimilarity between the location and the other location (705). Forexample, location comparator 607 can compare location 124B to location124A. Location comparator 607 can determine that location 124B hassufficient similarity to location 124A.

Method 700 includes including the other normalized signal in the signalsequence based on the sufficient temporal similarity and the sufficientspatial similarity (706). For example, sequence manager 604 can includenormalized signal 124B in signal sequence 631 and update signal sequence631 in sequence storage 613

Subsequently, sequence manager 604 can receive normalized signal 122C.Time comparator 606 can compare time 123C to time 123A and locationcomparator 607 can compare location 124C to location 124A. If there issufficient temporal and spatial similarity between normalized signal122C and normalized signal 122A, sequence manager 604 can includenormalized signal 122C in signal sequence 631. On the other hand, ifthere is insufficient temporal similarity and/or insufficient spatialsimilarity between normalized signal 122C and normalized signal 122A,sequence manager 604 can form signal sequence 632. Sequence manager 604can include normalized signal 122C in signal sequence 632 and storesignal sequence 631 in sequence storage 613.

In some aspects, method 700 also includes one or more privacyoperations. Privacy infrastructure 102 can implement and/or apply anydescribed privacy operations, such as, user information removal, userinformation scrubbing, user information stripping, user informationobfuscation, access rule application, etc., prior to, during, or afterany of: 701, 702, 703, 704, 705, or 706.

Turning to FIG. 6B, event detection infrastructure 103 further includesevent detector 611. Event detector 611 is configured to determine iffeatures extracted from a signal sequence are indicative of an event.

As depicted in FIG. 6B, privacy infrastructure 102 can span modules thatfacilitate event detection, including feature extractor 609 and eventdetector 611. Privacy infrastructure 102 can implement and/or apply anydescribed privacy operations, such as, user information removal, userinformation scrubbing, user information stripping, user informationobfuscation, access rule application, etc., at and/or throughinteroperation with any of: feature extractor 609 or event detector 611.

FIG. 8 illustrates a flow chart of an example method 800 for detectingan event. Method 800 will be described with respect to the componentsand data in computer architecture 600.

Method 800 includes accessing a signal sequence (801). For example,feature extractor 609 can access signal sequence 631. Method 800includes extracting features from the signal sequence (802). Forexample, feature extractor 609 can extract features 633 from signalsequence 631. Method 800 includes detecting an event based on theextracted features (803). For example, event detector 611 can attempt todetect an event from features 633. In one aspect, event detector 611detects event 636 from features 633. In another aspect, event detector611 does not detect an event from features 633.

In some aspects, method 800 also includes one or more privacyoperations. Privacy infrastructure 102 can implement and/or apply anydescribed privacy operations, such as, user information removal, userinformation scrubbing, user information stripping, user informationobfuscation, access rule application, etc., prior to, during, or afterany of: 801, 802, and 803.

Turning to FIG. 6C, sequence manager 604 can subsequently add normalizedsignal 122C to signal sequence 631 changing the signal data contained insignal sequence 631. Feature extractor 609 can again access signalsequence 631. Feature extractor 609 can derive features 634 (whichdiffer from features 633 at least due to inclusion of normalized signal122C) from signal sequence 631. Event detector 611 can attempt to detectan event from features 634. In one aspect, event detector 611 detectsevent 636 from features 634. In another aspect, event detector 611 doesnot detect an event from features 634.

In a more specific aspect, event detector 611 does not detect an eventfrom features 633. Subsequently, event detector 611 detects event 636from features 634.

An event detection can include one or more of a detection identifier, asequence identifier, and an event type (e.g., accident, hazard, fire,traffic, weather, etc.).

A detection identifier can include a description and features. Thedescription can be a hash of the signal with the earliest timestamp in asignal sequence. Features can include features of the signal sequence.Including features provides understanding of how a multisource detectionevolves over time as normalized signals are added. A detectionidentifier can be shared by multiple detections derived from the samesignal sequence.

A sequence identifier can include a description and features. Thedescription can be a hash of all the signals included in the signalsequence. Features can include features of the signal sequence.Including features permits multisource detections to be linked to humanevent curations. A sequence identifier can be unique to a group ofsignals included in a signal sequence. When signals in a signal sequencechange (e.g., when a new normalized signal is added), the sequenceidentifier is changed.

As depicted in FIG. 6C, privacy infrastructure 102 can span modules thatfacilitate event detection, including feature extractor 609 and eventdetector 611. Privacy infrastructure 102 can implement and/or apply anydescribed privacy operations, such as, user information removal, userinformation scrubbing, user information stripping, user informationobfuscation, access rule application, etc., at and/or throughinteroperation with any of: feature extractor 609 or event detector 611.

In one aspect, event detection infrastructure 103 also includes one ormore multisource classifiers. Feature extractor 609 can send extractedfeatures to the one or more multisource classifiers. Per event type, theone or more multisource classifiers compute a probability (e.g., usingartificial intelligence, machine learning, neural networks, etc.) thatthe extracted features indicate the type of event. Event detector 611can detect (or not detect) an event from the computed probabilities.

For example, turning to FIG. 6D, multi-source classifier 612 isconfigured to assign a probability that a signal sequence is a type ofevent. Multi-source classifier 612 formulate a detection from signalsequence features. Multi-source classifier 612 can implement any of avariety of algorithms including: logistic regression, random forest(RF), support vector machines (SVM), gradient boosting (GBDT), linear,regression, etc.

For example, multi-source classifier 612 (e.g., using machine learning,artificial intelligence, neural networks, etc.) can formulate detection641 from features 633. As depicted, detection 641 includes detection ID642, sequence ID 643, category 644, and probability 646. Detection 641can be forwarded to event detector 611. Event detector 611 can determinethat probability 646 does not satisfy a detection threshold for category644 to be indicated as an event. Detection 641 can also be stored insequence storage 613.

Subsequently, turning to FIG. 6E, multi-source classifier 612 (e.g.,using machine learning, artificial intelligence, neural networks, etc.)can formulate detection 651 from features 634. As depicted, detection651 includes detection ID 642, sequence ID 647, category 644, andprobability 648. Detection 651 can be forwarded to event detector 611.Event detector 611 can determine that probability 648 does satisfy adetection threshold for category 644 to be indicated as an event.Detection 641 can also be stored in sequence storage 613. Event detector611 can output event 636.

As detections age and are not determined to be accurate (i.e., are notTrue Positives), the probability declines that signals are “TruePositive” detections of actual events. As such, a multi-sourceprobability for a signal sequence, up to the last available signal, canbe decayed over time. When a new signal comes in, the signal sequencecan be extended by the new signal. The multi-source probability isrecalculated for the new, extended signal sequence, and decay beginsagain.

In general, decay can also be calculated “ahead of time” when adetection is created and a probability assigned. By pre-calculatingdecay for future points in time, downstream systems do not have toperform calculations to update decayed probabilities. Further, differentevent classes can decay at different rates. For example, a firedetection can decay more slowly than a crash detection because thesetypes of events tend to resolve at different speeds. If a new signal isadded to update a sequence, the pre-calculated decay values may bediscarded. A multi-source probability can be re-calculated for theupdated sequence and new pre-calculated decay values can be assigned.

Multi-source probability decay can start after a specified period oftime (e.g., 3 minutes) and decay can occur in accordance with a defineddecay equation. Thus, modeling multi-source probability decay caninclude an initial static phase, a decay phase, and a final staticphase. In one aspect, decay is initially more pronounced and thenweakens. Thus, as a newer detection begins to age (e.g., by one minute)it is more indicative of a possible “false positive” relative to anolder event that ages by an additional minute.

In one aspect, a decay equation defines exponential decay ofmulti-source probabilities. Different decay rates can be used fordifferent classes. Decay can be similar to radioactive decay, withdifferent tau values used to calculate the “half life” of multi-sourceprobability for a class. Tau values can vary by event type.

In FIGS. 6D and 6E, decay for signal sequence 631 can be defined indecay parameters 114. Sequence manager 104 can decay multisourceprobabilities computed for signal sequence 631 in accordance with decayparameters 614.

As depicted in FIGS. 6D and 6E, privacy infrastructure 102 can spanmodules that facilitate event detection, including sequence manager 604,event detector 611, and multi-source classifier 612. Privacyinfrastructure 102 can implement and/or apply any described privacyoperations, such as, user information removal, user informationscrubbing, user information stripping, user information obfuscation,access rule application, etc., at and/or through interoperation with anyof: sequence manager 604, event detector 611, and multi-sourceclassifier 612.

The components and data depicted in FIGS. 1-8 can be integrated withand/or can interoperate with one another to detect events. For example,evaluation module 206 and/or validator 204 can include and/orinteroperate with one or more of: a sequence manager, a featureextractor, multi-source classifiers, or an event detector.

The present described aspects may be implemented in other specific formswithout departing from its spirit or essential characteristics. Thedescribed aspects are to be considered in all respects only asillustrative and not restrictive. The scope is, therefore, indicated bythe appended claims rather than by the foregoing description. Allchanges which come within the meaning and range of equivalency of theclaims are to be embraced within their scope.

What is claimed:
 1. A method comprising: receiving a first Time,Location, Context (TLC) normalized signal including user information andincluding a first time dimension, a first location dimension, and afirst context dimension, the first context dimension including a firstsingle source probability representing at least a first approximateprobability of a real-world event of a specified event type; removing atleast a portion of the user information; deriving first one or morefeatures from the first TLC normalized signal including from the firstsingle source probability subsequent to removing the at least a portionof the user information; determining that the first one or morefeatures, including the first single source probability, provideinsufficient evidence to be identified as the real-world event of thespecified event type; receiving a second Time, Location, Context (TLC)normalized signal including a second time dimension, a second locationdimension, and a second context dimension, the second context dimensionincluding a second single source probability representing at least asecond approximate probability that the real-world event of thespecified event type; deriving second one or more features from thesecond TLC normalized signal including from the second single sourceprobability; aggregating the first single source probability and thesecond single source probability into a multisource probability; anddetecting the real-world event from evidence provided by the multisourceprobability, including the multisource probability exceeding a thresholdprobability associated with the event type.
 2. The method of claim 1,wherein the first TLC normalized signal corresponds to one of: a socialpost with geographic content, a social post without geographic content,an image from a camera feed, a 911 call, weather data, IoT device data,satellite data, satellite imagery, a sound clip from a listening device,data from air quality sensors, a sound clip from radio communication,crowd sourced traffic information, or crowd sourced road information. 3.The method of claim 2, wherein the second TLC normalized signalcorresponds to a different one of: a social post with geographiccontent, a social post without geographic content, an image from atraffic camera feed, a 911 call, weather data, IoT device data,satellite data, satellite imagery, a sound clip from a listening device,data from air quality sensors, a sound clip from radio communication,crowd sourced traffic information, or crowd sourced road information. 4.The method of claim 1, wherein determining that the first one or morefeatures, including the first single source probability, provideinsufficient evidence to be identified as the real-world event comprisedetecting a possible event from the first one or more features; andwherein detecting the real-world event from evidence provided by themultisource probability comprises validating the possible event as thereal-world event based on the second one or more features.
 5. The methodof claim 1, wherein receiving a second Time, Location, Context (TLC)normalized signal comprises receiving the second Time, Location, Context(TLC) normalized signal that includes other user information; furthercomprising removing at least a portion of the other user information;and wherein deriving second one or more features from the second TLCnormalized signal comprises deriving second one or more features fromthe second TLC normalized signal subsequent to removing the at least aportion of the other user information.
 6. The method of claim 1, furthercomprising: including the first TLC normalized signal in a signalsequence; determining that the second TLC normalized signal hassufficient temporal similarity to the first TLC normalized signal;determining that the second TLC normalized signal has sufficient spatialsimilarity to the first TLC normalized signal; and including the secondnormalized signal in the signal sequence.
 7. The method of claim 6,wherein aggregating the first single source probability with the secondsingle source probability comprises deriving features of the signalsequence from the first one or more features and the second one or morefeatures.
 8. The method of claim 7, wherein deriving features of thesignal sequence comprises deriving one or more of: a percentage, acount, a histogram, or a duration.
 9. The method of claim 6, furthercomprising determining that the second TLC normalized signal is not aduplicate of the first TLC normalized signal prior to including thesecond TLC normalized signal in the signal sequence.
 10. The method ofclaim 1, wherein detecting the real-world event from evidence providedby the multisource probability comprises removing at least anotherportion of the user information.
 11. A system comprising: a processor;system memory coupled to the processor and storing instructionsconfigured to cause the processor to: receive a first Time, Location,Context (TLC) normalized signal including user information and includinga first time dimension, a first location dimension, and a first contextdimension, the first context dimension including a first single sourceprobability representing at least a first approximate probability of areal- world event of a specified event type; remove at least a portionof the user information; derive first one or more features from thefirst TLC normalized signal including from the first single sourceprobability subsequent to removing the at least a portion of the userinformation; determine that the first one or more features, includingthe first single source probability, provide insufficient evidence to beidentified as the real-world event of the specified event type; receivea second Time, Location, Context (TLC) normalized signal including asecond time dimension, a second location dimension, and a second contextdimension, the second context dimension including a second single sourceprobability representing at least a second approximate probability thatthe real- world event of the specified event type; derive second one ormore features from the second TLC normalized signal including from thesecond single source probability; aggregate the first single sourceprobability and the second single source probability into a multisourceprobability; and detect the real-world event from evidence provided bythe multisource probability, including the multisource probabilityexceeding a threshold probability associated with the event type. 12.The system of claim 11, wherein instructions configured to determinethat the first one or more features, including the first single sourceprobability, provide insufficient evidence to be identified as thereal-world event comprise instructions configured to determine the firstsingle source probability is not confirming of the real-world event butis sufficient to warrant further investigation of the event type. 13.The system of claim 11, wherein instructions configured to receive afirst TLC normalized signal comprise instructions configured to receivethe first TLC normalized signal corresponding to one of: a social postwith geographic content, a social post without geographic content, animage from a camera feed, a 911 call, weather data, IoT device data,satellite data, satellite imagery, a sound clip from a listening device,data from air quality sensors, a sound clip from radio communication,crowd sourced traffic information, or crowd sourced road information.14. The system of claim 13, wherein instructions configured to receivethe second TLC normalized signal comprise instructions configured toreceive the second TLC normalized signal corresponding to a differentone of: a social post with geographic content, a social post withoutgeographic content, an image from a traffic camera feed, a 911 call,weather data, IoT device data, satellite data, satellite imagery, asound clip from a listening device, data from air quality sensors, asound clip from radio communication, crowd sourced traffic information,or crowd sourced road information.
 15. The system of claim 11, whereininstructions configured to receive a second Time, Location, Context(TLC) normalized signal comprise wherein instructions configured toreceive the second Time, Location, Context (TLC) normalized signal thatincludes other user information; further comprising instructionsconfigured to remove at least a portion of the other user information;and wherein instructions configured to derive second one or morefeatures from the second TLC normalized signal comprise instructionsconfigured to derive second one or more features from the second TLCnormalized signal subsequent to removing the at least a portion of theother user information.
 16. The system of claim 11, further comprisinginstructions configured to: include the first TLC normalized signal in asignal sequence; determine that the second TLC normalized signal hassufficient temporal similarity to the first TLC normalized signal;determine that the second TLC normalized signal has sufficient spatialsimilarity to the first TLC normalized signal; and include the secondnormalized signal in the signal sequence.
 17. The system of claim 16,wherein instructions configured to aggregate the first single sourceprobability with the second single source probability compriseinstructions configured to derive features of the signal sequence fromthe first one or more features and the second one or more features. 18.The system of claim 16, further comprising instructions configured toderive features of the signal sequence, including deriving one or moreof: a percentage, a count, a histogram, or a duration.
 19. The system ofclaim 16, further comprising instructions configured to determine thatthe second TLC normalized signal is not a duplicate of the first TLCnormalized signal prior to including the second TLC normalized signal inthe signal sequence.
 20. The system of claim 11, wherein instructionsconfigured to detect the real-world event from evidence provided by themultisource probability comprise instructions configured to remove atleast another portion of the user information.